[Enhancement] OpenID Connect/SSO support

LycheeOrg / Lychee

A great looking and easy-to-use photo-management-system you can run on your server, to manage and share photos.

https://lycheeorg.github.io/

MIT License

3.43k stars 305 forks source link

[Enhancement] OpenID Connect/SSO support #1844

Closed dan-r closed 4 months ago

dan-r commented 1 year ago

Is there any plan or want for implementing SSO or another method of automatic external authentication like header auth?

I'm happy to write the feature and raise a PR for this, but am a little unsure on how to handle the 'administrator' access level, as from the current implementation there is only one, whereas with a third party IDP you could potentially have a group of administrators.

ildyria commented 1 year ago

Hi,

There was a request for for LDAP integration but it ended up being rejected because the author was not complying to our phpstan requests and testing. :(

We do support Header Auth token (if generated by Lychee), but this requires pre-regisration.

I would also suggest you also have a look at: https://laravel.com/docs/10.x/socialite and https://github.com/LycheeOrg/Lychee/issues/792

You will still need to create a user in the Lychee DB (either on successful login to the SSO system) in order to track the rights, that will be the way to define whether admin access are provided or not.

ildyria commented 10 months ago

@dan-r FYI #2190 will provide Oauth support to major providers (Amazon, Facebook, Google, GitHub, NextCloud, Mastodon, Microsoft).

dan-r commented 10 months ago

@ildyria great news, thanks for letting me know. Sorry I didn't get the chance to take a look at implementing it! I'll give the PR a test.

ildyria commented 10 months ago

To clarify this still requires the user to have an account and then we link it. But now that the ground work is laid down, it should be easy to add a setting to allow creation of accounts on Oauth authentication.

ildyria commented 5 months ago

@dan-r Check out #2475 (though untested)

jsaathof commented 4 months ago

This is a valuable addition for having SSO. it does no longer require you to add a new user beforehand. I have tested this with my Keycloak environment. It works just fine. Now only if I would have user group support where I just have to add the new user to a group to give access to multiple albums, that would be awesome!

I do understand the warning about "shooting yourself in the foot" when using other, public OIDC authentication mechanisms. Anyone can log in and create an account.

hhanzo1 commented 4 months ago

I have Google OAuth2 setup and can authenticate to Lychee successfully.

My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth.

I have the following defaults:

oauth_create_user_on_first_attempt 0
oauth_grant_new_user_upload_rights 0
oauth_grant_new_user_modification_rights 0

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

What could I be missing?

Thanks.

ildyria commented 4 months ago

wohowowowo

My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth.

Yes.

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

That would be BAD.

Let me check.

ildyria commented 4 months ago

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part. I am not able to reproduce your bug with my GitHub Oauth.

hhanzo1 commented 4 months ago

Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part.

It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'

I am not able to reproduce your bug with my GitHub Oauth.

~~I'll test again today and will test with Github Oauth then report back.~~

I tested with Github Oauth and get the same behaviour. I can authenticate with my Github account without an established Lychee account as admin. I've tried incognito mode and on mobile phone with the same result.

There must be something wrong in my config attached maybe?

lychee-diag.txt

In my .env not sure if this is related?

SECURITY_HEADER_HSTS_ENABLE=false
SECURITY_HEADER_CSP_CONNECT_SRC=
SECURITY_HEADER_SCRIPT_SRC_ALLOW=
SESSION_SECURE_COOKIE=false

and the Oauth config looks like this


GITHUB_CLIENT_ID=********************
GITHUB_CLIENT_SECRET=*******************************
GITHUB_REDIRECT_URI=/auth/github/redirect

GOOGLE_CLIENT_ID=*********************************************.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-****************************
GOOGLE_REDIRECT_URI=/auth/google/redirect

ildyria commented 4 months ago

It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'

It literally says here that the google token is linked. Just click reset and it will be fine.

ildyria commented 4 months ago

When you click on set up the connection, you are linking the account to your google account! Like this is the INTENDED behavior.

hhanzo1 commented 4 months ago

When you click on set up the connection, you are linking the account to your google account! Like this is the INTENDED behavior.

OK. This is point that I was missing.

Updated flow:

Add a new local account and password
Authenticate with new local account <-- critical step
Choose U2F then select Set up Google
Logout
Authenticate with Google by clicking on the G

I can confirm it's working great.

Thank you!